Reputation: 33
ASP.NET - OpenIdConnect - The redirect URI is not well-formed
When I use OpenIdConnect I have a problem in a OpenIdConnectHandler (394 line)
So, I use a cyrillic domain http://грант-лев.рф (just for example) and redirect URI in OpenIdConnectHandler looks incorrect:
The redirect URI is not well-formed. The URI is: 'http://грант-лев.рф:5000/connect/authorize?client_id=RosgrantService&redirect_uri=http%3A%2F%2Fxn----7sbhbm9amwu.xn--p1ai%3A5002%2Fsignin-oidc&
Seems, punycode like here redirect_uri=http%3A%2F%2Fxn----7sbhbm9amwu.xn--p1ai
would be good, but I dont know where I can handle it.
Moreover, after this warning I catch an exception in kestrel
System.InvalidOperationException: Invalid non-ASCII or control character in header: 0x0433
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ThrowInvalidHeaderCharacter(Char ch)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ValidateHeaderCharacters(String headerCharacters)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.FrameHeaders.ValidateHeaderCharacters(StringValues headerValues)
....
So, how can I turn my cyrillic domain to punycode to prevent warning and a Kestrel craching in OpenIdConnectHandler?
UPDATE: It could be useful https://github.com/aspnet/Security/issues/1646
Also I've solved a problem by using some workaround http://amilspage.com/set-identityserver4-url-behind-loadbalancer/
Upvotes: 3
Views: 1158
Answers (1)
Reputation: 13059
Issue is with internationalised domain name you are using.
tldr; OpenID Connect does not allow IDN in redirect URI.
Explanation
OpenID Connect is built on top of OAuth 2.0. Because of that, it inherit key protocol definitions from OAuth 2.0. Below is an extraction of the definition for redirect endpoint
The redirection endpoint URI MUST be an absolute URI as defined by RFC3986 Section 4.3.
According to OAuth 2.0 definition, you cannot use internationalised redirect endpoint since its definition is based on RFC3986 (as shown above)
Now here is the extraction from RFC3986 about characters allowed in URI,
The ABNF notation defines its terminal values to be non-negative integers (codepoints) based on the US-ASCII coded character set [ASCII]. Because a URI is a sequence of characters, we must invert that relation in order to understand the URI syntax. Therefore, the integer values used by the ABNF must be mapped back to their corresponding characters via US-ASCII in order to complete the syntax rules.
If you want to convert IDN to valid ASCII, you may use IdnMapping class to do the mapping. This question explains how to use it.
Issues with IDN for OpenID Connect/OAuth 2.0
In OAuth 2.0, you need to validate the redirect URI. So if you are using a IDN, you need to convert it and store it at authorization server. This way you solve one issue, you authorization server would accept redirect uri comes in.
But response for authorization request could be problematic. From your client application, you are using a IDN. But you have registered ASCII value of your redirect endpoint to comply with protocol definition. When authorization server respond back, your client application cannot receive the response as there is no redirection endpoint matching to ASCII value.
If your authorisation server could handle punycode conversions, then problem could be solved in customised manner. But if it can't, only option is to use ASCII based redirection endpoint.
Upvotes: 1
Related Questions
- ASPNET CORE InvalidOperationException: Cannot redirect to the authorization endpoint, the configuration may be missing or invalid
- How to set redirect_uri parameter on OpenIdConnectOptions for ASP.NET Core
- IdentityServer4 Invalid Redirect_Uri Error
- signin-oidc redirect not working OpenId Connect
- Setting redirect_uri on AspNetCore OpenIdConnect
- OpenIdConnect Redirect on Form POST
- Redirect in .NET Core OpenID Connect middleware?
- Cannot redirect to the end session endpoint, the configuration may be missing or invalid OpenIdConnect SignOutAsync
- Openid redirect not working
- MVC and OpenID Redirection Problems